Xref: utzoo alt.security:748 comp.protocols.tcp-ip:11543
Path: utzoo!mnetor!geac!torsqnt!news-server.csri.toronto.edu!cs.utexas.edu!execu!sequoia!rpp386!jfh
From: jfh@rpp386.cactus.org (John F. Haugh II)
Newsgroups: alt.security,comp.protocols.tcp-ip
Subject: Re: anonymous ftp, and the dangers thereof
Message-ID: <18373@rpp386.cactus.org>
Date: 4 Jun 90 13:06:18 GMT
References: <1990Apr20.192233.4092@utzoo.uucp> <6721@blake.acs.washington.edu> <BT+2NO5xds13@ficc.uu.net> <PMY$TW?@b-tech.uucp>
Reply-To: jfh@rpp386.cactus.org (John F. Haugh II)
Organization: Lone Star Cafe and BBS Service
Lines: 48
X-Clever-Slogan: Recycle or Die.

In article <PMY$TW?@b-tech.uucp> zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) writes:
>All this emphasis on turning off tftp and waiting for shadow password 
>files may be clouding the simpler and more effective solution.  Force 
>users to pick good passwords!  Something with some non-alpha 
>characters and mixed case (not the first letter capital).  

Using "good" passwords is meaningless without some control over the
encrypted passwords, because as sure as the sun rises in the east,
people write down "good" passwords.

On the other hand, permitting crappy passwords and protecting the
access to the encrypted crappy password can be secure if the number
of possible trials per unit time is sufficiently small.  A common
feature of many [ including mine ] enhanced login schemes is a limit
to the number of consecutive failures, which limits the number of
failing login attempts on a port to a very small number per unit
time, while not increasing [ by way of using excessively complex
computation scams ] the time to login successfully.  Another feature
is to limit the number of failed attempts on an account before the
account is turned off.

Given this setup using the shadow login code I posted last year,

% faillog -u root -p -u jfh -p
Username        Failures    Maximum     Latest
root                   0          0     Sat May 26 13:49:38 1990 on tty1A
jfh                    1       1000     Mon Jun  4 07:57:21 1990 on tty01

my account will be expired after 1,000 failures.  After 1,000 failed
trials the bad guy will no longer be able to know whether the password
is good or bad.  If I were extremely paranoid I could lower this value
to 10 or so and use trivial english words such as "Cat" or "Dog" without
too much concern.

On my system the maximum failed login rate is on the order of 6 per
minute through the modems.  This is a factor 10,000 slower than
estimates of PCs, which many have stated at being near 1,000 per second.
However, since I control the access to my encrypted passwords, the
problem is serialized at my machine, while someone is perfectly free
to employ two or more other machines to parallelize the problem in an
unprotected environment.

Moral of the story, pester your vendor for shadow password support ...
-- 
John F. Haugh II                             UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832                           Domain: jfh@rpp386.cactus.org

                                            Proud Pilot of RS/6000 Serial #1472